Understand adminSDHolder and protected groups: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

and http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

and old http://support.microsoft.com/kb/817433

how to audit and reset users and groups objects protected by adminSDholder (admincount attribute): http://www.windowsitpro.com/article/active-directory/Advanced-Active-Directory-Security-125777

example / use case: http://cbfive.com/blog/post/AdminSDHolder-Permissions-Propagate-to-Protected-Accounts-But-Delegated-Permissions-Done28099t-Work.aspx

http://www.windowsitpro.com/article/permissions/access-denied-returning-to-a-domain-s-default-permissions-44914

AD security descriptors: http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm

In french: http://www.ssi.gouv.fr/IMG/pdf/Audit_des_permissions_en_environnement_Active_Directory_article.pdf

—————————————————————————————————————————————————————————————-

Modify adminSDholder container permissions?

http://technet.microsoft.com/en-us/library/cc772662%28v=ws.10%29.aspx

Usage of dscals.exe: http://technet.microsoft.com/en-us/library/cc771151%28v=ws.10%29.aspx

Reset admincount?

So often the remedy is to reset the adminCount (through ADSI) and re-enable the inherited permissions using DSACLS for the objects (users) in question:
([ADSISearcher] “adminCount=*”).FindAll() | foreach {$User = [ADSI] $_.Path; $User.adminCount.Clear(); $User.SetInfo(); dsacls $User.distinguishedName /p:n}

Else using Quest cmdlet: http://dmitrysotnikov.wordpress.com/2008/06/04/find-and-fix-broken-inheritance/

Modifying How Often SDPROP Runs ?
If the default frequency of 60 minutes for SDPROP to run isn’t sufficient, you can change it by creating or modifying the AdminSDProtectFrequency entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters subkey.
If this key doesn’t exist, the default frequency (60 minutes) is used.
You can configure the frequency to anywhere between one minute and two hours. You must enter the number of seconds when creating or modifying the registry entry. The following command will configure SDPROP to run every 10 minutes (600 seconds):
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 600
Note, however, that modifying this subkey isn’t recommended because doing so can increase LSA (Local Security Authority) processing overhead.